Numbers are a big part of any journey. The cost of a journey, the miles in a journey, the exit that you need to take….they are all numbers.
Let’s look at the recent Uber data breach by the numbers:
57,000,000 - the number of names, email addresses and mobile phone numbers of Uber customers that were lost. By customers, I mean real people. People like you. People like me.
600,000 - the number of Uber drivers that had their names and driving license details lost. Uber drivers are people too. They have been given free credit monitoring protection. The rest of us? Not a thing.
$100,000 - the amount of money that was paid to the bad guys to 1) get them to be quiet, and 2) get them to delete the data that they stole. Before you get up in arms and say WHOA….they stole the data, how can you be sure that they deleted it?!?, take a deep breath. They promised that they deleted it. They may be criminals, but do we really think that they are liars as well? Ok. Maybe I am being a teeny tiny bit sarcastic there.
2016 - the year that the breach happened. Now, I know some of you are really good with numbers and are doing the math in your heads. 2017 minus 2016 = 1. As in this happened 1 year ago. Well, if they knew about this a year ago, they obviously told the people who were impacted, right? Nope. Well, if they know about this a year ago, they obviously told the relevant Authorities, right? Nope. Well who did they tell? Ahhh yes, they told the hackers that they paid the $100,000 to. That’s ok though. Remember: They promised to delete the data that they stole.
So, how did it happen?
According to published reports, the hackers got into Uber's GitHub account (it is a web repository where IT developers store their code). Once in the GitHub account, hackers found the username and password to access the Uber data stored in an Amazon server (now is a good time to shamelessly plug our previous post called “Fluffy Cloud, Storm Cloud” – you can find it on our website blog). Those impacted will be pleased to know that, according to security experts, this was not a sophisticated hack. Companies frequently (and accidentally) keep credentials in source code, that is uploaded to GitHub. See – it happens all the time. Doesn’t that make you feel better?
Why is this different that the other recent data breaches? There have been a rash of high profile data breaches recently: Equifax. Yahoo. The list goes on. So how is this one different? Quite simply, the company knew about it and tried to cover it up. They did not alert customers or the relevant authorities about the issue. The reason that this hit the press was that new Uber CEO Dara Khosrowshahi decided to make this public. On a positive note, the release of the information came with an apology and a promise to improve the company’s digital defences. As long as you say “sorry” then that makes it all better.
Oh….guess what. This isn’t the first time that Uber has had a data problem. In 2014, a hacker accessed Uber data on more than 100,000 drivers. Additionally, Uber settled charges with the US Federal Trade Commission for allowing its employees to access riders’ most personal information, including the details of their trips. By “riders”, that means us. They were accessing our details.
What can be done about this? The General Data Protection Regulation states that all data at rest,
in memory and in transit must be protected. Hopefully, people will start to do that soon.
At Exate Technology, we can help. It’s what we do.